Usman Khan-DTS Web Security Solutions, A 360 Approach

Web Security is the key challenge nowadays for Enterprise around the globe. The very nature of such application require to have a public interface or an interface beyond their firewall. This peculiar nature of Web application leads us be more defensive and protected. Websites are top choice of hacker for their exploits. This is the reason the global attack traffic is mostly web based.

Statistic: Percentage of global internet attack traffic during 3rd quarter 2013, by targeted ports | Statista
Find more statistics at Statista

Five Stages of Attacks

Phase 1- Silent Introspection

The first phase of attack is silent introspection. The attacker gathers as much information as possible, and starts identifying potentially vulnerable areas of the application. He does this discretely by using tools such as Web debugging proxies to monitor the traffic between the browsers and the web server. The attacker can then traverse the site, much like a normal user, while collecting valuable information about how the application works. This activity goes undetected, because as far as the server is concerned, it represents the traffic of a legitimate user. At this point, the attacker will stop interacting with the target server directly. They will spend significant time reviewing the data collected by the debugging proxy and extracting useful facts about the environment. This may include the type of hardware and software in the network architecture, programming languages, libraries, source code, and comments. This information will help with the later phases of the attack.

Phase 2- Attack Vector Establishment

The second phase is attack vector establishment. This phase begins once the attacker has gained an understanding of the application design, and the breadth of its attack surface. Until now, the interaction with the server has been fairly benign and undetectable, but in this phase, things get a little louder. For this reason, attackers will often start using an anonymous proxy to interact with the server. They may also employ other protective measures such as browser privacy controls, firewalls, antivirus, and virtual machines. Once attackers are confident that their traffic can no longer be traced, the real work can begin. With notes in hand, and a debugging proxy up and running, the attacker starts to seek out dynamic pages, especially those which accept form or query input. The attacker will then determine what the various input parameters are, and attempt to derive boundary cases for them. The idea is to send boundary case values to the application to provoke an unintended response from the server. For example, the attacker might change the value of a query parameter from “txt” to “xml” in an attempt to get the server to send some informative XML data.

Phase 3 – Implementation

The third phase is implementation. This phase begins once the attacker has identified the vulnerabilities and their associated attack vectors. This is where the real damage begins. The scope of damage depends on the types of vulnerabilities that are exploited.

For example:

• The attacker starts to mine the database for sensitive information, delete existing information, or insert new fraudulent information.

• The attacker seeds the application with malicious code by way of XSS vulnerabilities and reflected parameters.

• The attacker designs complex phishing scams that use the vulnerabilities to give the scam credibility.

The possibilities are only constrained by the potential vectors and how they can be chained together to deliver more powerful payloads. Most of the damage has been done at this point.

Phase 4—Automation

The fourth phase is automation. Attacks such as input parameter abuse are often single request vectors. This means that the damage happens within a single HTTP request. Sometimes, however, the execution of an attack vector provides incremental benefits each time it is performed. Generally, if the attack vector generates revenue for the attacker, the next step is to automate the attack. This enables the attacker to repeat the attack vector over and over again, multiplying the overall monetary gain.

Because the attackers must still remain undetected in order to execute the automated attack, they will generally code the attack into a remotely controlled bot. A bot allows attackers to distribute the automation logic across a large number of geographically dispersed computers. They can then disseminate the bot and reap the benefits without incurring any risk of detection. This tactic poses serious challenges for the administrator, because even if the attack is identified, an IP-based block will no longer be sufficient. To accomplish this, attackers will often use a prefabricated “command and control” kit that allows them to quickly raise and command a bot army.

Phase 5—Maintenance

The final phase is maintenance. Finally the attack is complete. The attacker has extracted as much data as experience and skill allows, and will go off to work on other projects until the automated bots start to fail. This will signal that some fundamental vulnerability in the attack vector has been patched or modified. If the attacker cares enough, the entire process can start all over again, focusing on the parts of the application that are essential for the bot’s proper functioning. The attacker will find a workaround for the new patch, create an entirely new attack vector, or move to a different target altogether.

WAS

 

 

DTS approach towards Web Security is to give a comprehensive 360 solution which provides protection of web assets at every phase.

The following is the approach by DTS employed to counter these five stages of attacks at following two levels.

The Deception method.

Early detection along with full stack WAF. The first two stages of web attacks are countered by powerful deception tool like JWAS (Juniper Web application Security) and responses are generated. The later stages of attacks are eliminated along with JWAS deception tool and full stack Web Application firewall (WAF).

The deception first creates honeypots and disrupts the process or information gathering or reconnaissance. It responds hacker with fake responses and ultimately tries to get hacker give up. JWAS created user profiling on bases of 200 different factors and let the system differentiate a normal user from persistent attackers.

 

Full stack Web Application Firewall.
The Firewall solution deployed by DTS for Web protection is FortiWeb, some of the highlight of FortiWeb Solution are

  • WAF throughput from 100 Mbps to 4 Gbps.
  • The only WAF product that provides a Vulnerability Scanner module within the web application firewall that completes a comprehensive solution for PCI DSS requirement 6.6.
  • Guarantees security of web applications and secures sensitive database content by blocking threats such as cross-site scripting, SQL injection, buffer overflows, file inclusion, denial of service, cookie poisoning, schema poisoning, and countless other attacks.
  • Aides in PCI DSS 6.6 compliance by protecting against OWASP Top 10 web application vulnerabilities.
  • Centralized Management and Administrative Domains (ADOMs) provide the abilities to manage multiple FortiWeb gateways from a single console and provide administration rights to designated domain owners to manage their own applications separately from others on the same FortiWeb device.
  • IP Reputation Service helps protect against automated web attacks by identifying access from botnets and malicious sources.
  • Bot dashboard analyzes traffic from malicious robots, crawlers, scanners and search engines.
  • Automatically and dynamically profiles user activity to create a baseline of allowed activity.
  • Network and application layer DoS/DDoS protection.
  • SSL encryption co-processing accelerates transaction times, offloads encryption functions, reduces web server processing requirements.
  • Layer 7 load balancing and content-based routing increases application speeds, improves server resource utilization and stabilizes applications.